Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.

Notices

Welcome to LinuxQuestions.org, a friendly and active Linux Community.

You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!

Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.

If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.

Having a problem logging in? Please visit this page to clear all LQ-related cookies.

Introduction to Linux - A Hands on Guide

This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.

I've searched a lot over this and I've come to this conclusion. Banning the IP is the best way to protect your server but of course, attacker can use another IP and use a lot of your bandwidth until you find and ban the IP. So the only thing we can do to prevent this is, block the packets my iptables length module.

I check the bandwidth usage through "iftop". Incoming traffic is always like 120kb/second and that has to be that way because the traffic enters my server no doubt that it gets dropped by iptables later.

The actual thing what the Ddos ( UDP Flood ) does it that it causes an outbound traffic that eats up like 5mb/second easily and my servers lag. Only if the IP is banned, the outbound traffic comes to an end.

Now I want to use the length module to block it but it just won't work. I've tried the following and shuffled them too but no help.

Have you looked into rate limiting? It puts a limit on the number of connections a particular IP can establish per unit time. One of the purposes is to stop DOS floods. You can specify ports and protocols, etc to fine tune what you want to protect too. Here is a link on the subject, though there are several of them available.

There are several ways you can block them: block the IP, block the whole provider they are using, block the port range, or put a connection limit on the number of connections a client can establish, which the email I showed you provides.

I can't tell you what connection limits to pick from your traffic. That is something you will need to determine and experiment with.

There are several ways you can block them: block the IP, block the whole provider they are using, block the port range, or put a connection limit on the number of connections a client can establish, which the email I showed you provides.

I can't tell you what connection limits to pick from your traffic. That is something you will need to determine and experiment with.

Yes that's the traffic I want to block.

I can BAN IP-address easily but that's when I arrive at server. Even before I arrive, the attacker easily spikes my port until I ban his IP. So I don't want that, I want to limit it even if I don't know his IP based on the attack he uses.

As you can see length is 15 but it doesn't work until I put length 43 in IPtables only in that case the outgoing traffic to this IP is null but sadly my server disappears from master server list + favorites list. We can only connect by IP. Idk what weird stuff is that ?

Rate limit could be good but I don't know what should be the command for rate and what number of packets / second.

That will limit any ip to 10 connections per minute. Beyond that, they will be blocked temporarily until they fall below the limit. You will need to experiment to find what values work. It will stop a connection flood.

I saw using tshark and tcpdump that the IP makes like 5 connections per second and the command I entered is even beyond that so it should cover it easily but it doesn't look that its being blocked because with this command my IP makes 1 mb/s to the Doser's IP based on his incoming 50kb/s. Outgoing only becomes 0kb/s when the IP is banned.

Yes, the interface parameter is optional and if you leave it off, it will apply the rule to all interfaces, which is probably what you want.

To clarify, as your last post wasn't clear in this regard, you need to use BOTH iptables rules that I posted together as they work in tandem. Using only one of them won't work. The first rule, triggers the rule set on the establishment of a connection and the second one uses this information to rate limit.

Here is a slight variant on the above, modified for your application. Note, that in your initial code, you had traffic on ports below 20100 so I am not sure why you picked that as the lower range. I KNOW from experience that these lines work as I have used them on port 80 and locked myself out when viewing pages with Base (the snort viewer).

I am glad that it worked. You will want to watch your legitimate traffic for a while to make sure that you aren't having any side effects. Filtering techniques can be highly effective, but often times need to be tweaked a bit.

Hello guys, i was in about to add some kind of DDoS protection to my VPS because of the constant lag caused by some idiot DDoS'er. I'm tring to run a SoF2 Gameserver, it uses the 20100 - 20500 UDP port, i tried to use what you suggested above but with no success.

From the initial comments it sounds like you've tried the black listing approach; it might be easier to white list IP's instead i.e. block everything and allow communications to/from known subnets or host addresses.

From the initial comments it sounds like you've tried the black listing approach; it might be easier to white list IP's instead i.e. block everything and allow communications to/from known subnets or host addresses.

This is my 2 cents worth 'so to speak'

if you a wizard to know every single IP connecting to a gameserver what u wrote has sense. otherwise it may be considered spam just to confuse who can help me or other or just to have +1 post.